“Information Fiduciaries” Must Protect Your Data Privacy

Legislators across the country are writingnewlaws to protect your data privacy. One tool in the toolbox could be “information fiduciary” rules. The basic idea is this: When you give your personal information to an online company in order to get a service, that company should have a duty to exercise loyalty and care in how it uses that information. Sounds good, right? We agree, subject to one major caveat: any such requirement should not replace other privacy protections.

Why We Need Information Fiduciary Rules

The law of “fiduciaries” is hundreds of years old. It arises from economic relationships based on asymmetrical power, such as when ordinary people entrust their personal information to skilled professionals (doctors, lawyers, and accountants particularly). In exchange for this trust, such professionals owe their customers a duty of loyalty, meaning they cannot use their customers’ information against their customers’ interests. They also owe a duty of care, meaning they must act competently and diligently to avoid harm to their customers. These duties are enforced by government licensing boards, and by customer lawsuits against fiduciaries who do wrong.

These long-established skilled professions have much in common with new kinds of online businesses that harvest and monetize their customers’ personal data. First, both have a direct contractual relationship with their customers. Second, both collect a great deal of personal information from their customers, which can be used against these customers. Third, both have one-sided power over their customers: online businesses can monitor their customers’ activities, but those customers don’t have reciprocal power.

Accordingly, severallawprofessors have proposed adapting these venerable fiduciary rules to apply to online companies that collect personal data from their customers. New laws would define such companies as “information fiduciaries.”

What Information Fiduciary Rules Would Do

EFF supports legislation to create “information fiduciary” rules. While the devil is in the details, those rules might look something like this:

If a business has a direct contractual relationship with a customer (such as an online terms-of-service agreement), the business would owe fiduciary duties to their customer as to the use, storage, and disclosure of the customer’s personal information. Covered entities would include search engines, ISPs, email providers, cloud storage services, and social media. Also covered would be online companies that track user activity across their own websites, and (through tracking tools) across other websites.

To avoid an undue burden on small start-ups and noncommercial free software projects that often spur innovation, information fiduciary rules would exempt (wholly or partially) smaller entities. A company’s size would be defined by its revenue, or by its number of customers or employees. Care should be taken to make sure that these rules (like any others) do not inadvertently cement the power of the current technology giants.

Covered entities would owe their customers a duty of loyalty, that is, to act in the best interests of their customers, without regard to the interests of the business. They would also owe a duty of care, that is, to act in the manner expected by a reasonable customer under the circumstances. These duties would apply regardless of whether the customer pays for the service. However, they would not bar a covered entity from earning a profit with their customers’ data.

If a business violates one of these duties, the customer would be able to bring their own lawsuit against the business.

New information fiduciary rules would help address situations that have arisen in the past:

If a company collects data for one purpose, it would not be allowed to use that data for an entirely different purpose, or transfer it to a third party that would do so. For example, the self-description you give a company in response to a personality quiz should not be used to try to influence how you vote. Similarly, the phone number you give a company to secure your personal information with two-factor authentication should not be used for targeted ads.

If an online business gathers and stores its customers’ personal information, it would be required to take reasonable steps to secure that information and to promptly notify you if the information leaks or is stolen.

An online business would not be allowed to secretly conduct human subject experiments on its customers that attempt to change their moods or behaviors.

The rules can also help in potential future situations as well:

If a customer publicly criticizes an online business, the business would not be allowed to attempt to discredit the customer by publishing their personal information.

If an online business provides travel directions to a customer, it would not be allowed to secretly route a customer past another business that paid for this routing.

If a social media encourages its customers to vote, it would not be allowed to selectively do so based on whether a customer’s personal information indicates they will vote consistently with the company’s political preferences.

What Information Fiduciary Rules Would Not Do

While information fiduciary rules would be an important step forward, they are just one strand of the larger tapestry of data privacy legislation.

First, while information fiduciary rules are a good fit for “first-party” data miners that have a direct contractual relationship to their customers (such as social media companies and online vendors), these rules may be less applicable to “third-party” data miners that have no direct relationship to the people whose data they gather (such as credit agencies). The essence of the fiduciary relationship is the choice of a customer to entrust someone else with their personal information.

Second, while information fiduciary rules would limit how a first-party data miner may use, store, and disclose a customer’s personal information, these rules may have less to say about when and how a business may initially collect a customer’s personal information.

Third, there is uncertainty as to how information fiduciary rules will be applied in practice. Fiduciary rules are hundreds of years old, and have typically been applied to skilled professionals. But since the law of information fiduciaries does not yet exist, it remains unclear exactly what enforceable limits it will place on online businesses.

We should not put all of our eggs in this one basket. EFF supports information fiduciary rules. But these rules must not displace other data privacy rules that EFF alsosupports, such as opt-in consent to collect or share personal information, the “right to know” what personal information has been collected from you, and dataportability. Companies subject to data fiduciary rules must follow these other data privacy rules, too.

Likewise, a federal information fiduciary statute must not preempt state laws that provide these other privacy safeguards. EFF has been soundingthealarm against federal legislation that preempts strong state data privacy laws—and that includes any federal law on information fiduciaries.

Related Updates

The U.S. government sends a lot of emails. Like any large, modern organization, it wants to “optimize” for “user engagement” using “analytics” and “big data.” In practice, that means tracking the people it communicates with—secretly, thoroughly, and often, insecurely. Granicus is a third-party contractor that builds communication tools to help...

It is not enough for government to pass laws that protect consumers from corporations that harvest and monetize their personal data. It is also necessary for these laws to have bite, to ensure companies do not ignore them. The best way to do so is to empower ordinary consumers to...

EFF is in it for the long run, especially in the important, hard fights for your rights. One of the longest running fights in online civil liberties is over your right to have a private conversation over a digital network. Whether it’s for our intimate relationships, our healthcare, our associations...

Throughout 2018, new surveillance practices continued to erode the privacy of people in Latin America. Yet local and regional digital rights organizations continue to push back with strategic litigation, journalists and security researchers investigate to shed light on government use of malware, and local activists work tirelessly to fight overarching...

To the extent that 260-page regulations can ever be said to be “famous,” Europe’s General Data Protection Regulation (GDPR) certainly had its moment in limelight in 2018. When it came into force on May 25, it was heralded by a flurry of emails from tech companies, desperate to re-establish their...

States are often the “laboratories of democracy,” to borrow a phrase from U.S. Supreme Court Justice Louis Brandeis. They lead the way to react quickly to technological advances, establish important rights, and sometimes pass laws that serve as a template for others across the country. This year, EFF worked—and fought—alongside...

In 2018, we learned that expanded biometric surveillance is coming to an airport near you. This includes face recognition, iris scans, and fingerprints. And government agencies aren’t saying anything about how they will protect this highly sensitive information. This fall, the Transportation Security Administration (TSA) published their Biometrics...

In an era where political and corporate leaders are attacking the free press as “the enemy of the people,” it’s crucial that we recognize the truth: journalists every day are uncovering stories that protect our rights and hold those in power accountable. Meanwhile, as the media landscape shrinks, non-profits are...